• Type: Bug
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 2.0.4
• Affects Version/s: 2.0.1
• Component/s: None
• Labels:

  None
• Environment:

  Tested with JIRA 4.0

[CWD-1724] Maximum Unchanged Password Days configuration is not respected by the Applications

Collapse comment: Wolfgang Fellner added a comment - 08/Apr/2010 5:40 AM

Wolfgang Fellner added a comment - 08/Apr/2010 5:40 AM

This is not a minor bug, it is at least a critical bug. You allow users to log in with a password that is not valid any more! When our security-officer gets info about this he will request to shut down Crowd and replace it by an other software.
When the JIRA-Stack is not able to handle "maximum unchanged days" crowd should not tell JIRA that the incredenials are valid.
Fix this immediate please!

Expand comment: Wolfgang Fellner added a comment - 08/Apr/2010 5:40 AM

Wolfgang Fellner added a comment - 08/Apr/2010 5:40 AM This is not a minor bug, it is at least a critical bug. You allow users to log in with a password that is not valid any more! When our security-officer gets info about this he will request to shut down Crowd and replace it by an other software. When the JIRA-Stack is not able to handle "maximum unchanged days" crowd should not tell JIRA that the incredenials are valid. Fix this immediate please!

Collapse comment: David O'Flynn [Atlassian] added a comment - 01/Nov/2009 11:00 PM

David O'Flynn [Atlassian] added a comment - 01/Nov/2009 11:00 PM

Hi Richard,

It is strange. The reason is partly historic: JIRA has a completely different user management stack, and there's no way for Crowd to communicate concepts like "maximum unchanged days" to it.

We're currently working to replace the JIRA stack with one derived from Crowd. This is a mammoth undertaking, but when we're done it'll allow us to fix issues like this.

Cheers,
Dave.
Integration Product Manager.

Expand comment: David O'Flynn [Atlassian] added a comment - 01/Nov/2009 11:00 PM

David O'Flynn [Atlassian] added a comment - 01/Nov/2009 11:00 PM Hi Richard, It is strange. The reason is partly historic: JIRA has a completely different user management stack, and there's no way for Crowd to communicate concepts like "maximum unchanged days" to it. We're currently working to replace the JIRA stack with one derived from Crowd. This is a mammoth undertaking, but when we're done it'll allow us to fix issues like this. Cheers, Dave. Integration Product Manager.

Collapse comment: Richard Campbell added a comment - 30/Oct/2009 9:48 AM

Richard Campbell added a comment - 30/Oct/2009 9:48 AM

Crowd is being sold as a single sign-on server - yet it does not work with Jira. In our case, we want to use Jira for tracking issues, but we require greater security than is offered by Jira out-of-the-box.
Therefore we intend to use Crowd as a password policy manager for Jira.
However, it does not appear to function correctly.
It seems very strange that Crowd does not function correctly when used with another tool from the Atlassian offering.

Regards
Richard Campbell
Sony Europe

Expand comment: Richard Campbell added a comment - 30/Oct/2009 9:48 AM

Richard Campbell added a comment - 30/Oct/2009 9:48 AM Crowd is being sold as a single sign-on server - yet it does not work with Jira. In our case, we want to use Jira for tracking issues, but we require greater security than is offered by Jira out-of-the-box. Therefore we intend to use Crowd as a password policy manager for Jira. However, it does not appear to function correctly. It seems very strange that Crowd does not function correctly when used with another tool from the Atlassian offering. Regards Richard Campbell Sony Europe